commit: b6371921229cf02860e383fe970d331ebcaad159
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Mar 8 20:27:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:38 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6371921
monit: update
add monit cli policy and several interfaces
policy/modules/contrib/monit.fc | 6 +-
policy/modules/contrib/monit.if | 127 ++++++++++++++++++++++++++++++++++++-
policy/modules/contrib/monit.te | 134 ++++++++++++++++++++++++++--------------
3 files changed, 217 insertions(+), 50 deletions(-)
diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
index d47fa153..273aad3e 100644
--- a/policy/modules/contrib/monit.fc
+++ b/policy/modules/contrib/monit.fc
@@ -1,7 +1,8 @@
/etc/rc\.d/init\.d/monit --
gen_context(system_u:object_r:monit_initrc_exec_t,s9)
-/etc/monit(/.*)?
gen_context(system_u:object_r:monit_etc_t,s0)
-/run/monit\.pid --
gen_context(system_u:object_r:monit_run_t,s0)
+/etc/monit(/.*)?
gen_context(system_u:object_r:monit_conf_t,s0)
+
+/run/monit\.pid --
gen_context(system_u:object_r:monit_pid_t,s0)
/usr/bin/monit --
gen_context(system_u:object_r:monit_exec_t,s0)
@@ -10,4 +11,3 @@
/var/lib/monit(/.*)?
gen_context(system_u:object_r:monit_var_lib_t,s0)
/var/log/monit\.log.* --
gen_context(system_u:object_r:monit_log_t,s0)
-
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index d387f435..6107ef9d 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -1 +1,126 @@
-## <summary>Monit system monitoring daemon</summary>
+## <summary>Monit - utility for monitoring services on a Unix system.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run monit cli.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`monit_domtrans_cli',`
+ gen_require(`
+ type monit_cli_t, monit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, monit_exec_t, monit_cli_t)
+')
+
+########################################
+## <summary>
+## Execute monit in the monit cli domain,
+## and allow the specified role
+## the monit cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_run_cli',`
+ gen_require(`
+ attribute_role monit_cli_roles;
+ ')
+
+ monit_domtrans_cli($1)
+ roleattribute $2 monit_cli_roles;
+')
+
+########################################
+## <summary>
+## Reload the monit daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_reload',`
+ gen_require(`
+ class service { reload status };
+ type monit_initrc_exec_t;
+ ')
+
+ allow $1 monit_initrc_exec_t:service { reload status };
+')
+
+########################################
+## <summary>
+## Start and stop the monit daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_startstop_service',`
+ gen_require(`
+ class service { start status stop };
+ type monit_initrc_exec_t;
+ ')
+
+ allow $1 monit_initrc_exec_t:service { start status stop };
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an monit environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_admin',`
+ gen_require(`
+ type monit_t, monit_conf_t, monit_initrc_exec_t;
+ type monit_log_t, monit_pid_t;
+ type monit_unit_t, monit_var_lib_t;
+ ')
+
+ admin_process_pattern($1, monit_t)
+
+ init_startstop_service($1, $2, monit_t, monit_initrc_exec_t,
monit_unit_t)
+
+ files_search_etc($1)
+ admin_pattern($1, monit_conf_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, monit_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, monit_pid_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, monit_var_lib_t)
+
+ monit_run_cli($1, $2)
+')
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 14aeddcd..470c44f4 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -12,24 +12,29 @@ policy_module(monit, 1.0.1)
## </desc>
gen_tunable(monit_startstop_services, false)
-attribute_role monit_interactive_roles;
+attribute_role monit_cli_roles;
-type monit_t;
+attribute monit_domain;
+
+type monit_t, monit_domain;
type monit_exec_t;
init_daemon_domain(monit_t, monit_exec_t)
-type monit_etc_t;
-files_config_file(monit_etc_t)
-files_security_file(monit_etc_t) # may contain password for monit webinterface
+type monit_conf_t alias monit_etc_t;
+files_security_file(monit_conf_t) # may contain password for monit webinterface
type monit_initrc_exec_t;
init_script_file(monit_initrc_exec_t)
+type monit_cli_t, monit_domain;
+application_domain(monit_cli_t, monit_exec_t)
+role monit_cli_roles types monit_cli_t;
+
type monit_log_t;
logging_log_file(monit_log_t)
-type monit_run_t;
-files_pid_file(monit_run_t)
+type monit_pid_t alias monit_run_t;
+files_pid_file(monit_pid_t)
type monit_unit_t;
init_unit_file(monit_unit_t)
@@ -39,6 +44,37 @@ files_type(monit_var_lib_t)
########################################
#
+# Common monit domain policy
+#
+
+allow monit_domain self:unix_stream_socket create_stream_socket_perms;
+allow monit_domain monit_t:process { getpgid sigkill signal };
+
+allow monit_domain monit_conf_t:dir list_dir_perms;
+allow monit_domain monit_conf_t:file read_file_perms;
+allow monit_domain monit_conf_t:lnk_file read_lnk_file_perms;
+
+kernel_read_system_state(monit_domain)
+
+# can not use with attributes
+#auth_use_nsswitch(monit_domain)
+
+# read /sys/class/net/eth0 /sys/devices/system/cpu
+dev_read_sysfs(monit_domain)
+dev_read_urand(monit_domain)
+
+fs_getattr_dos_fs(monit_domain)
+fs_getattr_dos_dirs(monit_domain)
+fs_getattr_tmpfs(monit_domain)
+fs_getattr_xattr_fs(monit_domain)
+
+miscfiles_read_localization(monit_domain)
+
+# disk usage of sd card
+storage_getattr_removable_dev(monit_domain)
+
+########################################
+#
# Daemon policy
#
@@ -46,72 +82,78 @@ files_type(monit_var_lib_t)
# net_raw : create raw sockets
# sys_ptrace : trace processes
allow monit_t self:capability { dac_read_search net_raw sys_ptrace };
-# kernel bug
-dontaudit monit_t self:capability dac_override;
# setsockopt
dontaudit monit_t self:capability net_admin;
-allow monit_t self:process { getpgid sigkill signal };
allow monit_t self:fifo_file rw_fifo_file_perms;
-allow monit_t self:netlink_route_socket r_netlink_socket_perms;
allow monit_t self:rawip_socket connected_socket_perms;
-allow monit_t self:sem rw_sem_perms;
-allow monit_t self:tcp_socket create_stream_socket_perms;
-allow monit_t self:udp_socket create_socket_perms;
-allow monit_t self:unix_stream_socket create_stream_socket_perms;
-
-allow monit_t monit_etc_t:dir list_dir_perms;
-allow monit_t monit_etc_t:file read_file_perms;
-allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
+allow monit_t self:tcp_socket server_stream_socket_perms;
allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
logging_log_filetrans(monit_t, monit_log_t, file)
-allow monit_t monit_run_t:file manage_file_perms;
-files_pid_filetrans(monit_t, monit_run_t, file)
+allow monit_t monit_pid_t:file manage_file_perms;
+files_pid_filetrans(monit_t, monit_pid_t, file)
allow monit_t monit_var_lib_t:dir manage_dir_perms;
allow monit_t monit_var_lib_t:file manage_file_perms;
-kernel_read_system_state(monit_t)
+auth_use_nsswitch(monit_t)
corecmd_exec_bin(monit_t)
+
corenet_tcp_bind_generic_node(monit_t)
corenet_tcp_bind_monit_port(monit_t)
corenet_tcp_connect_all_ports(monit_t)
-dev_read_sysfs(monit_t)
-dev_read_urand(monit_t)
-
domain_getpgid_all_domains(monit_t)
domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
-fs_getattr_dos_fs(monit_t)
-fs_getattr_tmpfs(monit_t)
-fs_getattr_xattr_fs(monit_t)
-fs_search_dos(monit_t)
-
-storage_getattr_fixed_disk_dev(monit_t)
-
-auth_use_nsswitch(monit_t)
-
-miscfiles_read_localization(monit_t)
-
-sysnet_read_config(monit_t)
+ifdef(`hide_broken_symptoms',`
+ # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
+ dontaudit monit_t self:capability dac_override;
+')
-ifdef(`init_systemd',`
- tunable_policy(`monit_startstop_services',`
- init_get_all_units_status(monit_t)
- init_get_system_status(monit_t)
- init_startstop_all_script_services(monit_t)
- init_start_all_units(monit_t)
- init_stop_all_units(monit_t)
- init_stream_connect(monit_t)
- ')
+tunable_policy(`monit_startstop_services',`
+ init_get_all_units_status(monit_t)
+ init_get_system_status(monit_t)
+ init_start_all_units(monit_t)
+ init_stop_all_units(monit_t)
+ init_stream_connect(monit_t)
')
optional_policy(`
dbus_system_bus_client(monit_t)
')
+
+########################################
+#
+# Client policy
+#
+
+allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
+
+allow monit_cli_t monit_pid_t:file rw_file_perms;
+
+allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
+allow monit_cli_t monit_var_lib_t:file rw_file_perms;
+
+auth_use_nsswitch(monit_cli_t)
+
+corecmd_check_exec_bin_files(monit_cli_t)
+
+corenet_tcp_connect_monit_port(monit_cli_t)
+
+dev_read_rand(monit_cli_t)
+
+domain_use_interactive_fds(monit_cli_t)
+
+files_search_pids(monit_cli_t)
+files_search_var_lib(monit_cli_t)
+
+logging_search_logs(monit_cli_t)
+
+userdom_dontaudit_search_user_home_dirs(monit_cli_t)
+userdom_use_inherited_user_terminals(monit_cli_t)
